I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

role, the time to do so might have arrived. IT organizations are at a crossroads today, and the need for such an assignment is growing by leaps and bounds as organizations fall under ever more burdensome regulations. Security professionals will be in high demand as organizations branch out to leverage new trends and opportunities, such as bring-your-own-device and cloud services.

The need for a chief security officer

Today's technology environments are spreading like wildfire. Connectivity to multiple disparate networks is seen as the norm, and organizations are increasing both the amount of gear they deploy and the number of applications they support. What's more, smartphones really are full computers that employees carry with them wherever they go, whether to a meeting, the boss' office, a movie, lunch or the offices of a competitor. This is technology that can be used for good -- or for evil.

By 2020, organizations will adopt multiple services from the cloud, bring your own device (BYOD) will be a way of life and the chief security officer will need to understand exactly how everything fits together. Today, organizations already struggle with BYOD and its security implications; by 2020, almost all employees will have smartphones and tablets, as well as the 2020 mobile device du jour.

There's more to consider. By 2020, cloud services will integrate more seamlessly into existing IT environments. I see cloud becoming just another services tier in many cases, but there will be a lot of hooks into the environment, and every single hook will be a potential security risk. Further, as more cloud services come into the organizations, CSOs must review the vendor's security posture for each and every service as part of the acquisition decision.

In short, the CSO of 2020 will confront a massively decentralized environment that requires attention on multiple fronts.

Two views on the chief security officer role

Perhaps to the dismay of security professionals, the chief security officer still won't be considered a full member of the executive team in 2020. While information and organizational security are incredibly important to an organization, the entire security paradigm should fall into existing risk management systems. But CSOs will provide regular reports to the executive team and the board, particularly as information security grows in importance.

I don't see today's common business structures changing that much between now and 2020, but with more organizations hiring CSOs, the two existing structures will be solidified.

More on information security

In one scenario, the CSO reports directly to the CIO and might even be somewhat off to the side of the formal IT organizational chart in order to maintain separation with "line" IT staff. The CSO regularly briefs the CIO on potential security issues and works with IT staff to ensure that any identified security issues are resolved as quickly as possible. In a perfect world, the CSO must sign off on items that could have a security impact, including new system and application deployments. The CSO is also responsible for performing regular penetration tests and generally verifying that the security systems that have been implemented are working well. The downside is that some may see IT as both controlling security as well as controlling the reporting element.

On the flip side, some organizations require that the CSO have a dotted line to the organization's primary risk management officer to maintain effective checks and balances. This structure places the CSO directly inside the realm of the chief risk management officer. Here, the CSO is an outside agent rather than an internal resource for the CIO, and the CSO may or may not have a dotted line to the CIO. The responsibilities are similar, but the CSO may have more veto power over certain IT initiatives and services.

This is happening today to a point, but by 2020, I see the role of the CSO as helping organizations protect them from themselves. Too often, decisions are made that can have a negative security impact on the organization. By 2020, we will see more organizations with fully funded CSO positions, and these CSOs will have significant power when it comes to service acquisition. While they will not be fully autonomous, their signature will be required before the organization can agree to new service contracts and service engagements.

Today, although many organizations have yet to hire CSOs, we are seeing this position added to the payroll in some organizations. By 2020, the CSO will be all but a required position, whether due to complexity or regulation. The structures and responsibilities that are beginning to take hold today will explode as the breadth and depth of the security function grows alongside the expansion of the technology environment.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy